[Openswan Users] Direct ipsec with iphone and Debian Lenny - problem with mode config

openswan at greenant.net openswan at greenant.net
Tue Dec 1 13:46:53 EST 2009 

I have been trying to get direct IPSEC running with a road warrior  
setup for iphone.

I'm using Debian Lenny and iPhone OS 3.0
I have installed the standard package Openswan 2.4.12

I have followed the online guides and feel like I'm getting close, but  
can't seem to sort out some late errors with the mode config settings.

I'm not really sure what's happening but at least the auth part seems  
OK and it's getting to STATE_MAIN-R3

HELP!!

Here's the logs and configs:

auth.log if I set the RIGHT as the modeconfig server:
------------------------------------------------------
added connection description "roadwarrior"
pluto[9359]: listening for IKE messages
pluto[9359]: adding interface eth0/eth0 192.168.0.5:500
pluto[9359]: adding interface eth0/eth0 192.168.0.5:4500
pluto[9359]: adding interface lo/lo 127.0.0.1:500
pluto[9359]: adding interface lo/lo 127.0.0.1:4500
pluto[9359]: adding interface lo/lo ::1:500
pluto[9359]: forgetting secrets
pluto[9359]: loading secrets from "/etc/ipsec.secrets"
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [RFC 3947] method set to=109
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [draft-ietf-ipsec-nat-t-ike] method set to=110
pluto[9359]: packet from 206.207.225.33:58791: ignoring unknown Vendor  
ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
pluto[9359]: packet from 206.207.225.33:58791: ignoring unknown Vendor  
ID payload [439b59f8ba676c4c7737ae22eab8f582]
pluto[9359]: packet from 206.207.225.33:58791: ignoring unknown Vendor  
ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
pluto[9359]: packet from 206.207.225.33:58791: ignoring unknown Vendor  
ID payload [80d0bb3def54565ee84645d4c85ce3ee]
pluto[9359]: packet from 206.207.225.33:58791: ignoring unknown Vendor  
ID payload [9909b64eed937c6573de52ace952fa6b]
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using  
method 110
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using  
method 110
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using  
method 110
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [XAUTH]
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [Cisco-Unity]
pluto[9359]: packet from 206.207.225.33:58791: received Vendor ID  
payload [Dead Peer Detection]
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: responding to Main  
Mode from unknown peer 206.207.225.33
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: transition from state  
STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: STATE_MAIN_R1: sent  
MR1, expecting MI2
Nov 30 16:58:30 odyssey pluto[9359]: "roadwarrior"[1] 206.207.225.33  
#1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X):  
both are NATed
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: transition from state  
STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: STATE_MAIN_R2: sent  
MR2, expecting MI3
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: Main mode peer ID is  
ID_IPV4_ADDR: '10.133.199.133'
pluto[9359]: "roadwarrior"[1] 206.207.225.33 #1: switched from  
"roadwarrior" to "roadwarrior"
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: deleting connection  
"roadwarrior" instance with peer 206.207.225.33 {isakmp=#0/ipsec=#0}
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: I did not send a  
certificate because I do not have one.
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: transition from state  
STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: STATE_MAIN_R3: sent  
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256  
prf=oakley_sha group=modp1024}
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: Sending XAUTH  
Login/Password Request
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: Sending  
Username/Password request (XAUTH_R0)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: ignoring  
informational payload, type IPSEC_INITIAL_CONTACT
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: received and ignored  
informational message
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: User USER:  
Attempting to login
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: pam  
authentication being called to authenticate user USER
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: User USER:  
Authentication Successful
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: XAUTH: xauth_inR1(STF_OK)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: transition from state  
STATE_XAUTH_R1 to state STATE_MAIN_R3
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: STATE_MAIN_R3: sent  
MR3, ISAKMP SA established

--- if RIGHT is set to modecfg server, the following then happens:

  pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: modecfg: Sending IP  
request (MODECFG_I1)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Mode Config message  
is unacceptable because it is for an incomplete ISAKMP SA  
(state=STATE_MODE_CFG_I1)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Mode Config message  
is unacceptable because it is for an incomplete ISAKMP SA  
(state=STATE_MODE_CFG_I1)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Mode Config message  
is unacceptable because it is for an incomplete ISAKMP SA  
(state=STATE_MODE_CFG_I1)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Mode Config message  
is unacceptable because it is for an incomplete ISAKMP SA  
(state=STATE_MODE_CFG_I1)
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Mode Config message  
is unacceptable because it is for an incomplete ISAKMP SA  
(state=STATE_MODE_CFG_I1)

----- here the iphone asks me to "enter your user authentication"
------ If I click OK, it continues

pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: received mode cfg reply
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: transition from state  
STATE_MODE_CFG_I1 to state STATE_MAIN_I4
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: STATE_MAIN_I4: ISAKMP  
SA established
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: received mode cfg reply
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: Expecting  
MODE_CFG_ACK, got 1 instead.
pluto[9359]: packet from 206.207.225.33:65534: We were in phase 1,  
with no state, so we went to XAUTH_R0


pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: next payload type of  
ISAKMP Hash Payload has an unknown value: 146
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: malformed payload in packet
pluto[9359]: | payload malformed after IV
pluto[9359]: |   5a b1 fe 0b  3e e2 6a 06  c5 ce 26 b3  90 87 f8 9c
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: sending notification  
PAYLOAD_MALFORMED to 206.207.225.33:65534

---- This part repeats about 4 times -----

pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: received Delete SA  
payload: deleting ISAKMP State #1
pluto[9359]: "roadwarrior"[2] 206.207.225.33: deleting connection  
"roadwarrior" instance with peer 206.207.225.33 {isakmp=#0/ipsec=#0}


ALternatively, if no modecfg client/server is specified but  
modecfgpull=yes is specified, the following happens after this line:
----------------------------------
pluto[9359]: "roadwarrior"[2] 206.207.225.33 #1: STATE_MAIN_R3: sent  
MR3, ISAKMP SA established

pluto[10862]: "roadwarrior"[2] 206.207.225.33 #1: received MODECFG  
message when in state STATE_MAIN_R3, and we aren't xauth client
pluto[10862]: "roadwarrior"[2] 206.207.225.33 #1: received MODECFG  
message when in state STATE_MAIN_R3, and we aren't xauth client
pluto[10862]: "roadwarrior"[2] 206.207.225.33 #1: received MODECFG  
message when in state STATE_MAIN_R3, and we aren't xauth client
pluto[10862]: "roadwarrior"[2] 206.207.225.33 #1: received Delete SA  
payload: deleting ISAKMP State #1
"roadwarrior"[2] 206.207.225.33: deleting connection "roadwarrior"  
instance with peer 206.207.225.33 {isakmp=#0/ipsec=#0}


Here are the configs that I have been using, I haven't included my  
firewall settings as I think that part is alright, but please let me  
know if they'll be helpful.

IP settings
-------------
local ip: 192.168.0.5 (static)
gateway: DL-406 ROuter with IPSEC passthrough and DMZ for server enabled:
192.168.0.1


ipsec.conf
-------------------
#/etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006-10-19 03:49:46 paul Exp $

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # plutodebug / klipsdebug = "all", "none" or a combation from below:
         # "raw crypt parsing emitting control klips pfkey natt x509 private"
         # eg: plutodebug="control parsing"
         #
         # ONLY enable plutodebug=all or klipsdebug=all if you are a  
developer !!
         #
         # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
         #
         # enable this if you see "failed to find any available worker"
         nhelpers=0

# Add connections here
conn roadwarrior
     dpdaction=clear
     authby=secret
     modecfgpull=yes
     right=%any
     rightxauthclient=yes
     rightmodecfgserver=yes
     rightnexthop=192.168.0.1
     rightsubnet=vhost:%no,%priv
     left=%defaultroute
     leftxauthserver=yes
     leftmodecfgclient=yes
     auto=add
     pfs=no
     leftsubnet=192.168.0.0/24

# sample VPN connections, see /etc/ipsec.d/examples/


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



ipsec.secrets
----------------

192.168.0.5  %any: PSK "SECRET"

More information about the Users mailing list